Re: [sleuthkit-users] fiwalk hashing and cluster runs

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Do you see the same behavior with other tools? What happens when you try to get the file content via icat?

On Feb 19, 2014, at 9:46 AM, Jason Wright <jwr...@gm...> wrote:

> All,
> 
> Recently when examining a number of drives and running fiwalk (sleuthkit 4.1.2 and libewf 20130416) on each of the files, I've noticed that there are a few files that don't get hashed by fiwalk. The files are allocated and do have a size and a file signature, but no hash, I've also noticed that the files that are not getting hashed are similar in that the initialized size from the data attribute is smaller than the actual size. Has anyone come across this situation and is there a way to tell fiwalk to hash them anyway?
> 
> As a footnote, the istat of the files shows the clusters at the end to be zero. In other words, they don't have a cluster assignment. The clusters assigned and listed for these files are as many needed for the initialized size. The remaining clusters that would be needed for the size above initialized and to the actual size have no assignments. This makes sense since when parsing the data attribute, the first byte run is described as expected and followed by 0x00, which would indicate an end of the cluster contents of the file. I am wondering if this has some effect on how fiwalk hashes and results in these files not getting hashed. 
> 
> R/
> 
> Jason Wright
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org